Security Alert: Be Cautious with Spyware

Security Alert: Be Cautious with Android Spyware -- GamblerSMS

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Recently my research team came across an interesting Android spyware -- GamblerSMS. This Android app is designed to be a spyware and may be intended to be used to monitor kids/children or cheating spouce. (The name of this spyware is shown as "SMS Spy".) In its design, the spyware will monitor every single SMS message received/sent from the phone and record every outgoing phone call. If installed, the spyware will first allow the user to configure (another) phone number to receive the SMS messages sent from the monitored phone and an email address to collect recorded audios of phone calls made from the monitored phone. However, one interesting thing about this spyware is that the author of GamblerSMS will also automatically keep a copy of ALL the recorded phone calls, which is probably unbeknownst to the spyware users.

How it works:

The spyware can be installed on a phone without exihibiting an icon on the home screen. When being installed, it will ask the user to provide a phone number to receiver incoming/outgoing SMS messages and an email address to receive recorded phone calls. After that, it will run in the background silently. Note that the spyware will also automatically boostrap itself with a background service SMSMonitor every time the phone reboots.

Our initial analysis shows that when the monitored user receives a SMS message, GamblerSMS will forward the received SMS message to the provided phone number. Also, when there is a new outgoing phone call, it will start recording the conversation and save it to a file. Then this file will be sent to the given email address. One interesting thing is that in order to send the recorded phone call to the given email address, GamblerSMS uses a hardcoded email account and the standard SMTP protocol to send email. As a result, all the recorded phone call sent to the monitor's email address will also be in the "Sent Mail" box of the hardcoded email account, which means the author of GamblerSMS will also have a copy of ALL recorded phone calls from ALL victims.

Mitigation:

We found this spyware in an unofficial Chinese Android market. To the best our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.

Follow-ups:

07/22/2011: This article goes online.
07/20/2011: We detected an instance of GamblerSMS.

Last modified: July 22, 2011